The audit exploited weaknesses in four audited agencies and accessed patient data to demonstrate the multitude of risks to the security of patient data and hospital services.
The report found deficiencies in how health services manage user access to digital records, including unused and terminated employee accounts still enabled, and failure to keep user access forms as proof that users have had their access approved.
The work also uncovered a lack of any formal, regular user access review to ensure only staff who need access have it—only one audited health service was found to provide mandatory cyber and data security training to all staff.
“Given that staff actions can undermine ICT and physical controls, it is vital that all staff—including clinical staff—can identify and manage the risks to patient data,” the audit reported.
The report stated that Victoria’s public health system is “highly vulnerable” to the kind of cyber attacks recently a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.
The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report concluded.
The Auditor-General Andrew Greaves examined Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), and also examined how two areas of the Department of Health and Human Services (DHHS), the Digital Health branch and Health Technology Solutions (HTS), are supporting health services.
“This weak security culture among government staff is a significant and present risk that must be urgently addressed,” the report said. “At one site, we accessed discarded, sensitive information too easily.